Using constrained types in C

When writing critical software, one of the advantages cited for using Ada rather than C is that Ada lets
you define constrained types, like this:

type Percentage is Integer range 0 .. 100;

The Ada compiler inserts a run-time check whenever the program assigns a value to a variable of
type Percentage that might be less than 0 or greater than 100, and in other similar situations
such as when passing parameters.

C doesn’t support constrained types. Fortunately, there are ways round this. One is to
use eCv’s constrained typedef syntax:

typedef int invariant(0 <= value; value <= 100) Percentage;

We met the invariant macro in an earlier post – it expands to nothing when your
program is compiled, making the constraint invisible to a regular C or C++ compiler. So you won’t get
run-time checking of the constraint. However, eCv will try to prove that the constraint is obeyed.
For example, the following function:

I’ve made Percentage type-compatible with int, but ensured that any
attempt to assign or convert an int to a Percentage is subject to a range check
(replace “...” with whatever you want to do when a range check fails).

If your C++ compiler supports templates, then you can define a class template with selectable minimum and
maximum values. This makes it trivial to introduce new types like Percentage with a simple typedef.